I'm using Snort 2.9 on windows server 2008 R2 x64, with a very simple configuration that goes like this:

# Entire content of Snort.conf:
alert tcp any any -> any any (sid:5000000; content:"_secret_"; msg:"TRIGGERED";)

# command line:
snort.exe -c etc/Snort.conf -l etc/log -A console

Using my browser, I send the string "_secret_" in the url to my server (where Snort is located). Example: http://myserver.com/index.php?_secret_

Snort receives it and throws an alert, it works, no problem ! But when I try something like this :

<?php // (index.php)
header('XTest: _secret_'); // header
echo '_secret_'; // data

If I just request http://myserver.com/index.php, it does not work or detect anything from the outgoing traffic even though the php file is sending the same string both in headers and in data, with no compression/encoding or whatsoever. (I checked using Wireshark)

This looks to me like a Snort problem. No matter what I do it only detects receiving packets. Did anyone ever face this sort of problems with Snort ? Any idea how to fix it ?

  • 229
  • 2
  • 9

3 Answers3


After 6 painfull hours of trying everything, I finally fixed it !

Just needed to add -k none to the command line.

For some reason, in my desktop pc it works without the -k none parametre. If someone care to explain what is going on, that would be very helpfull. Thanks.

  • 229
  • 2
  • 9

It sounds like checksum offloading is causing your issue.

Checksum offloading allows the NIC to compute the TCP checksum, saving the CPU from having to perform the computation. The NIC performs each calculation just before sending off a packet, and unfortunately Snort can capture a local packet before the calculation. As a result, Snort's internal checksum verification sees a checksum of 0 (since it hasn't been done yet), interprets it as a bad checksum, and doesn't further analyze the packet.

This is why adding the -k none option to snort.exe fixes it; it disables Snort's internal checksum verification, thus letting the packets be analyzed.

Just so you are aware, it is possible to check for and disable checksum offloading, but since there is some performance risk to that, I think that the -k solution is better.

  • 1,552
  • 15
  • 25

Sometimes the snaplen (-P) might be also an issue. Increase the value (default is the size of the MTU) and you will get a lot of more data.

  • 256
  • 3
  • 12